|
Details:
Arrival Details
This malicious Visual Basic (VB) script may be downloaded from remote site(s) by other malware.
It may be dropped by other malware.
Installation
This malicious VBScript drops the following file(s)/component(s):
%System%\WIN2K3-SERVER.vbs - copy of itself
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Techniques
This malicious VBScript creates the following registry entry(ies) to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
WIN2K3-SERVER = "%System%\WIN2K3-SERVER.vbs"
Propagation via Physical and Removable Drives
This malicious VBScript drops copies of itself in all physical and removable drives as CASE-1013.vbs.
It also drops an AUTORUN.INF file to automatically execute dropped copies when the drives are accessed.
The file AUTORUN.INF contains the following strings:
[autorun]
shellexecute=wscript.exe CASE-1013.vbs
Note that the WSCRIPT.EXE process referred to in the said file is a legitimate process.
Affected Platforms
This malicious VBScript runs on Windows 98, ME, NT, 2000, XP, and Server 2003.
Analysis By: Ricardo O. Pineda Jr. Revision History:
For additional information about this threat, see:
Overview
Solution
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
